TryHackMe - Windows Forensics 1 - Hands-on Challenge

• We will identify where the different files for the relevant registry hives are located and load them into Registry Explorer for analysis.

Scenario Notes:

• One of the Desktops in the research lab at Organization X is suspected to have been accessed by someone unauthorized.
• Although they generally have only one user account per Desktop, there were multiple user accounts observed on this system.
• It is also suspected that the system was connected to some network drive, and a USB device was connected to the system
• The triage data from the system was collected and placed on the attached?VM

Open the EZTools folder on the desktop, then navigate to the RegistryExplorer application file and double click it to run it:

Questions:

To load the needed hives click File > Load hive:

Go to Desktop\triage\C\Windows\System32\config.

Select the SAM hive.

In Registry Explorer go to SAM\Domain\Account\Users

Question 1:

How many user created accounts are present on the system?

Answer:

3

Explanation:

Look back at the “System Information and System Accounts” task

We see a built in account, a default account, and a utility account. Looks like the other 3 accounts were user-created.

Question 2:

What is the username of the account that has never been logged in?

Answer:

thm-user2

Explanation:

Expand the Last Login Time column to see that thm-user2 has no data.

Question 3:

What's the password hint for the user THM-4n6?

Answer:

count

Explanation:

Expand the Password Hint column

Question 4:

When was the file 'Changelog.txt' accessed?

Answer:

2021-11-24 18:18:48

Explanation:

From task “Usage or knowledge of files/folders” we see that info about recent files is stored here:

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Load the following hive in Registry Explorer:

Desktop\triage\C\Users\THM-4n6\NTUSER.DAT

In the NTUSER.DAT hive go to: Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.txt

See the Opened On column.

Question 5:

What is the complete path from where the python 3.8.2 installer was run?

Answer:

z:\setups\python-3.8.2.exe

Explanation:

Refer to task “Evidence of Execution”

The following location has info regarding programs launched, the time of their launch, and the number of times they were executed:

NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count

Question 6:

When was the USB device with the friendly name 'USB' last connected?

Answer:

2021-11-24 18:40:06

Explanation:

From Task “External Devices/USB device forensics” we can that info about USB keys plugged into a system is stored here:

SYSTEM\\CurrentControlSet\\Enum\\USBSTOR

-AND-

SYSTEM\\CurrentControlSet\\Enum\\USB

Load this hive in Registry Explorer:

Desktop\triage\C\Windows\System32\config\SYSTEM

Click yes

Click ok

Choose SYSTEM.LOG1 and click open

Click ok

Click Save

Click yes

Click no

The hive can be found in Registry Explorer now

Load the SOFTWARE hive into Registry Explorer

Follow this path and find the Device with friendly name USB:

SOFTWARE\Microsoft\Windows Portable Devices\Devices

Take note of the GUID

Go back to SYSTEM\CurrentControlSet\Enum\USBSTOR

Here, we can see when the device with the matching ID was last connected